MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34
SHA3-384 hash: 8fa04afbd83ee353ed95da60ef71df05f10e12c9576721f228a9de80da487d35a1554bc8e3b08a9584c9219c77dddbe0
SHA1 hash: 65e8cadb4901556ff9da328d158bc02fa37faf27
MD5 hash: 9d1ad28ba8644e9a8b7e133960cdb512
humanhash: diet-october-low-zebra
File name:Registration_Form.rtf
Download: download sample
File size:459'896 bytes
First seen:2026-02-03 12:28:47 UTC
Last seen:Never
File type:Rich Text Format (RTF) rtf
MIME type:text/rtf
ssdeep 6144:mh1LGaOXUIkzq1p3UD4Cl44tfdil5ekizT9qr/S:NCn
TLSH T17AA4ECB62137CA20F125A44F452F790E0593F2DA8DF768D5C6EADD7481B3DB2AA2470C
TrID 83.3% (.RTF) Rich Text Format (5000/1)
16.6% (.JSON) JSON object (generic) (1000/1)
Magika rtf
Reporter smica83
Tags:CVE-2026-21509 rtf UKR

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSO
Details
MSO
extracted component(s) such as package(s) and OLE files
Link:
https://research.acce.ciphertechsolutions.com/results/fdf7dd4d-7a74-4072-a59e-3c1c64dc7e2e/
Malware family:
n/a
ID:
1
File name:
Registration_Form.rtf
Verdict:
No threats detected
Analysis date:
2025-12-30 08:13:38 UTC
Tags:
ole-embedded generated-doc
Link:
https://app.any.run/tasks/f1814bf0-c894-41a0-9fff-7c0779cab776

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/rtf
Has a screenshot:
False
Contains macros:
False
Detection(s):
Rtf.Exploit.CVE_2026_21509-10059214-0
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694e1e9f01c7b4a8fe55ffa2
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Searching for the window
Connection attempt
Connection attempt by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
RTF File
Link:
https://app.docguard.net/d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
CVE-2026-21509
Link:
https://www.hybrid-analysis.com/sample/d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34
Verdict:
Malicious
File Type:
rtf
First seen:
2025-12-26T02:51:00Z UTC
Last seen:
2025-12-27T03:42:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.MSOffice.Agent.gen
Link:
https://opentip.kaspersky.com/d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1862384
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office drops RTF file
Behaviour
Behavior Graph:
Download SVG
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34
Gathering data
Verdict:
Malicious
Threat:
Trojan.MSOffice.Agent
Link:
https://tip.neiki.dev/file/d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34
Threat name:
Win32.Exploit.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-12-26 05:35:26 UTC
File Type:
Document
Extracted files:
82
AV detection:
5 of 35 (14.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fckxkyuqfcx5lhz6hii7a2zqdbbi3wjcuj6f24uofggvoxml42a._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260203-pn3w3shs6f/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments